General Practice Information, HIPAA, HR, & Safety

General Practice Information

Q:  Do you have sample letters for how we should direct our patients?

A:  We have developed two sample letters for use in directing your patients on how you are handling the Coronavirus situation. These are templates which must be customized to your situation. We advise all practices to review your policies and educate your staff as you consider system changes. 

• Patient Letter Template for Primary Care Practices (letter will download automatically when you click the link)
• Patient Letter Template for Specialty Practices (letter will download automatically when you click the link)

Q:  The following letter from CMS covers many details of COVID-19 business and patient care areas and provides numerous links to informational documents.

CMS Dear Clinician Letter

Q:  Should I stop performing non-emergent and elective surgeries in my practice?  

A:  This CMS document provides recommendations to limit those medical services that could be deferred, such as non-emergent, elective treatment and preventive medical services for patients of all ages.  Be aware that some states and municpalities have enacted executive orders with stricter guidelines and definitions of non-essential medical services.  If you have questions, check with your state or loacal government websites and/or Board of Medical Examiners.

HIPAA

Q:  Can your Business Associates disclose patient information in the interest of public health and do they have to notify us if they do?

A:  Previously, Business Associates (BAs) could only release patient information under the direction of the Covered Entity.  On April, 2, 2020, the OCR provided notice, they are relaxing those requirements on BAs so they can release pertinent COVID-19 related information in the interest of public health. The notice specifically states:
OCR will exercise its enforcement discretion and will not impose penalties against a business associate or covered entity under the Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if, and only if:

• the business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d); and
• the business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).

Q:  Is it acceptable to share PHI about a COVID-19 positive, or potentially positive, patient with first responders?

A:  The HIPAA Privacy Rule permits a covered entity to disclose the protected health information (PHI) of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without the individual’s HIPAA authorization under certain circumstances.  This link provides the document that specifies when it is acceptable to disclose PHI to first responders. 

Q:  Are the HIPAA requirements waived during an emergency?

A: HIPAA Privacy and Security rules are still in effect, and for the most part have not been waived or relaxed.
In regards to telehealth (telemedicine), the Office for Civil Rights (OCR) has recently provided notice stating they will waive penalties for any potential HIPAA violations by healthcare providers who use everyday communications technologies such as FaceTime, Skype, Facebook Messenger video chat, Google Hangouts video chat, and similar private-facing platforms during the Coronavirus crisis for telehealth services. The OCR has also indicated platforms such as Facebook Live, Twitch, TikTok, and similar video services are considered public-facing and should NOT be used for telehealth services.
These relaxations for telehealth (telemedicine) are only for the remote treatment of patients through one-on-one communication technologies. Staff should continue following all Privacy and Security policies and procedures for protecting the privacy, security, and integrity of patient information, whether from the office or from home. Please see the FAQ on employees working from home for additional information on protecting patient information for those working from home.
HHS has a decision tool to walk you through the process of determining when, what, and how PHI may be disclosed in a Public Health Emergency.  These appropriate disclosures would be:

• Treatment- information may be shared amongst the patient’s treating providers and those to which the patient is being referred for treatment.
• Public Health Activities- information may be shared with public health authorities, such as the local health department, CDC, and those authorized by law to collect or receive such information to prevent or control disease or injury.
• Family, Friends, and Others Involved in the Patient’s Care- limited information may be disclosed to certain friends, family members, or other individuals that are involved in the care of that person. Practices should still get verbal permission from the patient unless it can be inferred the patient wouldn’t object, or, using professional judgment, the provider determines it is in the patient’s best interest.
• To Prevent a Serious and Imminent Threat- relevant information may be shared with anyone necessary to prevent or lessen a serious or imminent threat to the health and safety of a person or the public. This will be based on the professional judgement of the provider in making determinations to the nature and severity of the threat.
• To First Responders at Risk for Infection- relevant information may be shared with First Responders so they may take additional steps to protect themselves or wear personal protective equipment.

In light of the COVID-19 pandemic, the Substance Abuse and Mental Health Services Administration (SAMHSA) has provided guidance stating, as determined by the provider, a medical emergency exists, healthcare providers may use their own judgement when disclosing substance use disorder records to other providers for treatment purposes when a medical emergency exists. This is typically a disclosure that is not permitted without written patient consent, but SAMHSA has relaxed this requirement during the current crisis. SAMHSA emphasizes that, under the medical emergency exception, providers make their own determinations whether a bona fide medical emergency exists for purposes of providing needed treatment to patients.
https://www.samhsa.gov/sites/default/files/covid-19-42-cfr-part-2-guidance-03192020.pdf
These current relaxations, while they do not have an expiration date, are not permanent and will more than likely revert to previous guidance once the current State of Emergency passes.

Q: What should we tell patients about HIPAA and COVID-19 testing?

A: Patients should be aware that there is mandatory reporting of COVID-19 to the Department of Health, but that is still confidential.  The health department takes over once reported, but the physician offices still have to maintain confidentiality.

Q:  What do I need to consider if I have employees working from home?

A:   From a HIPAA standpoint, employees should treat patient information with the same privacy and security as they would in the office.  The current relaxation of Security guidelines only relates to Telehealth.  Practices must include employees working remotely to their Security Risk Analysis in order to remain compliant. Additionally:

• Employees should have Confidentiality Agreements already in place, whether they are working in the office or at home.
• Specific policies and procedures should be in place for employees that work from home.
• Limit employee access to only the information necessary to do their job.
• Encrypt home wireless routers and change default passwords on their wireless routers to something more challenging.
• Utilize a Virtual Private Network (VPN) if staff must log into a server.
• Require work to be completed in an area of the home wher eonly the employee can access and see patient information.
• Instruct employees not to make copies, print, or save patient information on private devices.
• If hard copies of patient information must be printed or kept, it should remain in a secure location with only employee access or destroyed in a proper way such as confetti shredding.
• Avoid emailing patient information unless using encrypted email.
• Protect login information in a secure location and do not leave it out for anyone to see.

HR

Check here for the latest guidance from OSHA on protecting your employees from COVID-19.

Click here for SVMIC's Comprehensive Practice Re-opening Checklist.

Q:  With the possibility of infection so high among healthcare workers, what is my responsibility to my employees?

A:  There are no new requirements for employers. The Occupational Safety and Health Act (OSHA) has always required employers, including medical practices, to assure safe and healthful working conditions. OSHA’s Guidance on Preparing Workplaces for COVID-19 can be found here.

Q: I have employees who have had an exposure to someone with COVID-19. Can they still come to work?

A:  Each situation should be handled on a case-by-case basis. Use the CDC guidelines found here.

Q:  Can we allow healthcare personnel who have tested positive or are suspect for COVID-19 to return to work?

A:  The CDC has provided dedicated resources to help with strategies to bring healthcare personnel with confirmed COVID-19, or who have suspected COVID-19, back to the workplace.  This link, updated on April 13, 2020, has criteria and cautions every practice should consider as they bring back employees. 

Safety

Q:  Are there any strategies to help us maximize the use of our medical gloves?

A:  The CDC has provided contingency and crisis strategies based on assumptions of current CDC recommendations for medical practices.  Strategies for Optimizing the Supply of Disposable Medical Gloves.

Pages, Downloads, and Links

• Burnout Course: For policyholders feeling even more stressed by the current situation, please logon and take the free Burnout course.
• Arkansas DOI - COVID-19 information
• Arkansas Medical Society COVID-19 Information Center
• Isolation Quarantine Release Guidance
• Kentucky DOI - State of Emergency relating to Coronavirus
• Kentucky DOI - Providers and Laboratory Services COVID-19 information
• MGMA Covid-19 Action Center
• Tennessee Department of Commerce and Insurance – Bulletin - Coronavirus guidance to TN companies and residents
• Tennessee Department of Commerce and Insurance – Bulletin - Coronavirus information